PRIVACY POLICY

Personal Data Protection Policy

1. Principle and Rationale

Personal Data Protection Act B.E. 2562 was created to make Personal Data protection effective and to have efficient measures to remedy the Personal Data subject from infringement of the rights in Personal Data. The enactment of this Act is in accordance with the provision in Article 26 of the Constitution of the Kingdom of Thailand.

Nissho Asia (Thailand) Co., Ltd. (“Company”), the Company adheres to conducting business with ethics, paying respect and complying with applicable laws. The Company is aware of data privacy related to Personal Data and is committed to protecting the privacy of personal information. Thus, the policy is declared to be the basis for Personal Data protection. The Company acknowledges of the need in safety in conducting transactions and the storage of Personal Data. Therefore, the Company pays attention to paying respect to the privacy rights of individuals and Personal Data security. The Company has set out the policies, regulations and criteria for operation with strict measures for Personal Data security to ensure that the Personal Data received by the Company will be used according to individual needs and will be legally utilized.

This Privacy Policy describes how the Company collect, use, disclose, share, store, and transfer information about the data subject when the data subject use the Company’s services (collectively, “Services”). The Company acts as a Data Controller for any information collected through the Services.

2. Personal Data

Personal Data (“Personal Data”) is the data that makes us be able to specify the identity of each person, directly or indirectly, which are:

1. Personal Data that is provided to the Company directly or through other channels, including when using the service, contact, visit, search through digital channel, website, Call Center, the person in charge, or any other channels.
2. The Personal Data received or accessed by the Company through other sources that is not directly from you, such as father, mother, children, spouse, sibling, government agency, business partner, and data service provider, etc. which the Company will notify the data subject regarding the detail of the collected Personal Data and the detail of the third party. Such notification will be made within 30 days from the date of the collection.

3. Personal Data collected by the Company

The Personal Data that the Company has gathered, used and/or disclosed, such as:

1. Personal information, such as name, surname, age, dated of birth, marital status, National ID Number, Passport Number
2. Contact information, such as accommodation, workplace, telephone, number, e-mail, LINE ID
3. Information of equipment or tools, such as IP Address, MAC Address, Cookie ID
4. Other information, such as website usage, sound, image, animated image, and any other information that is considered Personal Data under Personal Data protection law.
5. Website of the Company may use cookies in some cases. Cookies are small-size data file that record the data that is exchanged between the computer of the data subject and our website. The Company uses cookies only to record the data that maybe useful for the data subject in the next time that the data subject return to visit the website of the Company. When the data subject use the web browser, the data subject can set up the value to accept all cookies or reject all cookies or ask the web browser to notify the data subject whenever the cookies are sent. The data subject can set up at the menu “help” in the browser to learn the method to change the use of cookies of the data subject. Please bear in mind that the disable or cookie use may affect the function of some services for the data subject.
6. Information provided from third parties, For example, the Company may collect the data subject account information of third-party’s service when the data subject logs in Services through such account. The Company may also collect and use information of how the data subject’s usage activities on third-party’s services from marketing service providers.

4. Purpose and details of the gathering, usage and/or disclosure of Personal Data

The Company will gather the Personal Data for the benefit of business operation according to the purposes, as well as to comply with any law that the Company or the individual must follow and for any purposes as specified in this policy as follows:

4.1 To make the Company be able to operate the business according to the purposes, such as:

1. To provide the Service
2. To maintain and improve the Service
3. To provide personalized services
4. To develop new services
5. To provide ads
6. To measure and analyze performance
7. To communicate with the data subject
8. To protect the Company, users, and the public

4.2 To perform its duties according to the relevant law or legal obligations, such as:

1. Compliance with the orders of the legal authority
2. Compliance with the financial institution business law, securities and exchange law, life insurance law, non-life insurance law, tax law, anti-money laundering law, terrorism and proliferation of weapons of mass destruction financing law, computer law, bankruptcy law and other laws that the Company is required to comply with, both in Thailand and abroad, including announcements and regulations issued under the said laws.

4.3 To conduct necessary operation under the legitimate interest without exceeding the limits that an individual can reasonably expect (Legitimate Interest), such as:

1. CCTV recording and ticket exchange before entering the Company area
2. Maintaining relationship with the customers, such as handling complaints, satisfaction assessment for customer care conducted by the employee of the Company
3. Risk management, auditing supervision and internal management
4. Making Personal Data to be anonymous data
5. Preventing, handling and mitigating the risks of fraudulent activity, cyber threat, default for debt repayment or breach of contract (e.g. bankruptcy information), law violation, such as money laundering, financial support for terrorism and proliferate weapons of mass destruction, offenses relating to asset, life, body, liberty, or reputation), which includes sharing Personal Data to raise the standard of work of the office in preventing, handling and mitigating the above risks.
6. Gathering, using and/or disclosing the Personal Data of the authorized directors, representative of the corporate customer
7. Contacting, recording the image or voice of meeting, training, recreation activities and exhibition
8. Gathering, using and/or disclosing Personal Data of the person who is under receivership by court order
9. Receiving – delivery of parcels

4.4 If the data subject does not provide the Company with his Personal Data which is necessary for complying with laws or performing the contract between him and the Company, he may not be allowed to use part of the Company service.

4.5 The Company may disclose the Personal Data to other people under the consent of the person, according to the Consent Form or under the legal basis allowed by law.

5. The legal basis of the Personal Data processing

Personal Data that the Company has processed and categorized by the legal basis is as follows:

1. Contract basis
2. Vital Interest basis
3. Legal Obligation basis
4. Public Task basis
5. Legitimate Interest basis
6. Consent basis

If there is a (lawful) change in the purpose of Personal Data use, the Company will notify the individual within 30 days.

6. Processing of Personal Data by third parties

The Company may need to submit or transfer the Personal Data to third parties for processing, such as service providers, technical support, customer management, IT service providers, or advertising service providers, etc. The Company will ensure the submission or transfer of Personal Data in accordance with the law and will take action to have Personal Data protection measures that we deem necessary and appropriate to comply with confidentiality standards, such as fragmentation before submission of Personal Data. Alternately, the Company may choose to implement a Personal Data protection policy that has been reviewed and approved by the relevant legal authority and will proceed to submit or transfer Personal Data to third parties for processing according to the aforementioned Personal Data protection policy instead of the operation according to the law.

7. Submitting or transferring the Personal Data abroad

The Company may need to submit or transfer Personal Data to companies in the Company’s network located abroad or to other recipients as part of the Company’s normal business operations, such as submitting or transferring Personal Data to store on the server / cloud in various countries. In the event that the destination country does not have sufficient standards, the Company will take care of the submission or transfer of Personal Data to be in accordance with the law and will take Personal Data protection measures that are deemed necessary and appropriate in accordance with confidentiality standards, such as entering into confidentiality agreements with recipients in such countries, or if the recipient is a company in the Company’s network located abroad, the Company may choose to implement a Personal Data protection policy that has been examined and approved by the authority according to the relevant laws. And the Company will proceed to submit or transfer Personal Data to the company in the Company’s network abroad to be in accordance with the aforementioned Personal Data protection policy instead of complying with the law provision.

8. Duration of Personal Data record

The Company will keep Personal Data for a period required for conducting the business according to the purpose, throughout the period required for achieving the objectives related to this policy, or until the data subject requests the Company to erase or destroy his Personal Data. The data may need to be kept further if any laws requiring or allowing to do so, for example, keeping in accordance with the Anti-Money Laundering Law, keeping for the purpose of verifying and examining a possible dispute within the legal term of the law, for not more than 10 years. In this regard, the Company will delete or destroy Personal Data or make it to be anonymous data when it is not necessary or when the Company received a requirement from the data subject, or such term has ended.

9. Personal Data protection and risk and impact assessment

The Company will duly keep the Personal Data according to the Technical Measure, Management Measure and Organizational Measure to secure Personal Data processing and to prevent Personal Data violation. The Company has established relevant regulations and criteria for the protection of Personal Data and have assessed the risks and impacts of Personal Data protection, such as information technology system security standards, measures to prevent recipients who have received the data from the Company from using or disclosing information outside of their purpose or without authorization or unlawful authorization.

The Company has revised regulations, criteria and risk and impact assessment for such Personal Data protection regularly, as necessary and as appropriate, assessment of risks and impacts of Personal Data protection, including loss of reliability, trust and reliability of the customer, disadvantage in competition in the market and business, being taken legal action.

10. Right of an individual about Personal Data

Right of an individual about Personal Data is the right according to the law that people should be aware of. An individual can request to exercise the rights under the existing laws or the policy or further amendment thereto in the future, as well as the criteria as specified by the Company. In the case where a person is a minor or the ability to conduct juristic acts is limited according to the law, the individual can request to exercise the rights by getting the parent, guardian or authorized person to submit the request, with the following rights:

10.1 Right to be informed

If an individual wishes to give consent to the Company for the collection, use and/or disclosure of Personal Data, they have the right to know in detail about the purposes for which Personal Data is collected, used and/or disclosed. The data subject may or may not provide information, or in the case where the law is required to provide information.

10.2 Right to withdraw consent

If an individual has given consent for the Company to collect, use and/or disclose Personal Data (whether consent has been given by the person before the date on which Personal Data protection law comes into force or thereafter), the individual has the right to withdraw consent at any time throughout the period that Personal Data is with the Company, unless there is a restriction to the rights according to the law or there is a contract that will benefit the individual.

In this regard, the withdrawal of the consent of the individual may affect the such individual from the performance according to the contract. For the benefit of the individual, it is important to study and inquire about the effects before withdrawing consent.

10.3 Right to request to access information

An individual has the right to request to access to the Personal Data of such individual which is in the Company’s responsibility and ask the Company to make a copy of the data for such individual, including asking the Company to disclose how the Company got that Personal Data.

10.4 Right to request for data portability

An individual has the right to apply for Personal Data in case the Company has made the Personal Data in a form that is readable and usable by automatic tools or devices and usable or revealable Personal Data by automated method. An individual also have the right to request the Company to submit or transfer Personal Data in such format to other Personal Data controllers when it can be done by automated method and have the right to request Personal Data that the Company submitted or transferred Personal Data in such format to other Personal Data supervisor directly, unless it cannot be performed due to technical reasons.

However, the above Personal Data must be Personal Data that the Company has obtained consent to gather, use and/or disclose, or is the Personal Data that the Company is required to gather, use and/or disclose in order to perform the obligations according to the contract as wishes, or other Personal Data as specified by the legal authority.

10.5 Right to object to the gathering, use and disclosure of Personal Data

An individual has the right to object to the gathering, use and/or disclosure of Personal Data at any time. In case of the gathering, use and/or disclosure of Personal Data that is made for the operations necessary within the legitimate interest of the Company or as required by law, without exceeding the limit that an individual can reasonably anticipate, or to carry out their mission for the public benefit, if individuals submit an objection, the Company will continue to gather, use and/or disclose their Personal Data, only those the Company can state that the legal reason that is more important than you fundamental rights or is it for confirmation of legal rights, legal compliance or the counter in legal action as the case may be.

10.6 Right to request for data erasure

An individual has the right to request to delete or destroy their Personal Data or make the personal anonymous, if an individual believes that the Personal Data is collected, used and/or disclosed in any unlawful manner, or it is deemed that the Company is not necessary to retain it for the related purposes in this policy, or when an individual has exercised the right to withdraw consent or exercise the right to objection as stated above.

10.7 Right to request for data restriction of processing

An individual has the right to request the temporary suspension of Personal Data use, in case the Company is in the process of reviewing the request to exercise the right to correct Personal Data, or objection, or any other cases where it is not necessary for the Company and the Personal Data must be erases or destroyed according to applicable law.

10.8 Right to request for data rectification

An individual has the right to request to correct Personal Data to be updated, completed and not to be misleading.

10.9 Right to complain

An individual has the right to submit a complaint to a related authority under the law, if the individual believes that the gathering, use and / or disclosure of your Personal Data is in a manner that violates or fails to comply with applicable laws.

10.10 Restrictions on the Exercise of Rights

The exercise of the rights of the individual as mentioned above may be restricted under applicable law and there are some cases where there is a need for the Company to refuse or fail to comply with the above request. For example, it is required by law or a court order for the public interest, or the exercise of right may violate the rights or liberties of others, etc. If the Company rejects the above request, the Company will inform the individual the reason for the refusal. In this regard, the Company will take action according to the exercise of right within 30 days from the day that the person submitted the application and supporting documents to the Managing Director of the Company completely.

11. Revision of the Policy

The Company will revise this policy at least once a year or in case there is any amendment to the law.

12. Contact information

If you have any questions regarding this Policy, please contact us here; or you may also contact us through the contacts set out below. 

Nissho Asia (Thailand) Co., Ltd.
8 Soi Romklao 17 Yaek 1, Khlong Sam Prawet, Lat Krabang, Bangkok 10520
[email protected]

Established on 31/1/2023
Latest Amendment on 31/1/2023